Clustering IDS alarms with an IGA-based approach

Intrusion detection systems generally overload their human operators by triggering per day thousands of alarms, most of which are false positives. Klaus Julisch put forward a clustering method effectual of eliminating false positives and finding root causes. But he proved that the clustering problem is unfortunately NP-complete. In this paper, an immune genetic algorithm is proposed to conquer the NP-complete clustering problem. The ad hoc strategy of generating antibodies and computing their density is proposed. The coding scheme and genetic operations including selection, crossover, and mutation are discussed in detail. The IGA´s local searching ability is improved by combining it with discrete gradient method. The results obtained by several tests are quite encouraging, including that the immune operator contributes much to solve the problem of premature convergence. Compared to a simple GA-based algorithm, the IGA-based one is able to generate higher-quality clusters within shorter period of time.